Following a volatile round of warfare between Iran and Israel — marked by intense strikes across major cities and U.S. bombing of Iranian nuclear facilities — a tenuous ceasefire is now in place. But while the missiles have stopped flying, the cyber threat from Iran continues to concern security officials.
Even before the ceasefire, U.S. intelligence officials had warned that Iran might retaliate against American involvement by launching cyberattacks on critical infrastructure. Electrical grids, water systems and financial networks were seen as high-risk targets. Now, despite the pause in direct military conflict, Iran’s cyber posture continues to raise alarms among security professionals who view the nation’s digital capabilities as a persistent and ideologically driven threat.
A recent advisory from the Department of Homeland Security (DHS) reinforces those concerns, warning of Iranian state actors and affiliated groups seeking to exploit unprotected networks and connected devices across the U.S. The battle may have quieted in the physical realm — for now — but in cyberspace, the threat has not receded, sources tell SecurityInfoWatch.
“The risk is real and grounded in doctrine. Iran’s cyber capabilities are part of its broader strategy of asymmetric retaliation, used to impose costs without direct confrontation,” said Charlies Randolph, senior vice president of strategic intelligence and security at 360 Privacy. “With the U.S. now directly involved in strikes on Iranian nuclear infrastructure, Tehran will respond, and cyber operations are a primary tool in its geostrategic kit.”
These campaigns — often run through advanced persistent threat (APT) groups — are designed to disrupt, create doubt and apply pressure below the threshold of war, Randolph explained. “The goal isn't always destruction; it's to erode trust, signal capability and influence perception.”
Though opinions vary on how aggressively Iran will wield its digital arsenal, the potential for attacks on high-impact targets is seen as more than theoretical. As Will Knehr, senior manager of information assurance and data privacy at i-PRO Americas, explained, “The threat is both real and intensifying.” His assessment is reinforced by years of documented cyber campaigns attributed to Iranian groups like APT33, APT34 and APT35 — actors known for persistent and often ideologically motivated operations.
Still, not every expert believes a catastrophic attack is imminent. Mark Freedman, principal and CEO of Rebel Global Security, cautions against overstatement. “The threat is real, but I’d be cautious about over-stating its severity,” he said. “The Iranians have demonstrated real reluctance to escalate the situation, and that calculus will apply to their use of cyber operations as well.”
High-value targets: Sectors in the crosshairs
Iran’s cyber operations have historically focused on sectors that can deliver both disruption and symbolic impact. That’s not expected to change.
“Energy, logistics and financial services remain top targets,” said Randolph. “They represent both economic lifelines and geopolitical leverage.” He pointed to incidents such as the 2012 Shamoon attack on Saudi Aramco and the 2019 strikes on Gulf oil facilities.
“We’re also seeing increased probing of U.S. water utilities, port systems and regional power grids,” Randolph said. “These sectors are vulnerable not only to malware but also to accompanying disinformation campaigns that amplify panic and reduce trust.”
Knehr noted that Iran often goes after “soft targets to maximize disruption,” including state and local government systems and healthcare. “Their campaigns are persistent and ideologically driven, which increases risk,” he said.
Katrina Rosseini, founder of KRR Ventures Advisory, cited healthcare and utilities as increasingly vulnerable. “Hospitals are increasingly under threat, with a 45% rise in healthcare cyberattacks since 2020. Water systems are not immune either,” she said, referencing recent attempts to shut down or contaminate municipal water supplies.
According to Freedman, the water sector stands out for its combination of critical function and poor defenses. “Iran and its supporters targeted the water sector with notable incidents in 2013 and 2023,” he said. “The water sector is also highly vulnerable in the United States.”
Tactics, threat actors & what to watch for
The tactics used by Iranian-affiliated groups range from credential harvesting and phishing to disruptive wiper malware — designed to delete data or render systems inoperable — and influence campaigns designed to spread panic.
“We’d likely see credential harvesting followed by wiper or ransomware-style attacks targeting water systems, ports or smaller utilities,” said Randolph. “These are high-impact, low-defense targets that can deliver real disruption without complex methods.”
While most experts warn of looming cyber retaliation, not everyone agrees a significant campaign is likely.
“I’m contrarian in this regard. Cyberattacks are primarily support operations: either gathering information or disrupting services to support a physical or kinetic intelligence or military operation,” said Bryson Bort, founder of SCYTHE, a next-generation threat emulation platform, and the cybersecurity consultancy GRIMM Cyber. “With hostilities in a current cessation, a ‘saving face’ response of missile attacks on U.S. military bases in the region, and little meaningful cyber actions to accomplish in such short order, I doubt there will be anything significant.”
Among other potential warning signs that could indicate an Iran-linked campaign, Knehr noted use of compromised VPN credentials to bypass perimeter defenses and simultaneous attacks across unrelated sectors, suggesting coordination or supply chain compromise.
“CISA and the FBI have emphasized the need to monitor for behavioral anomalies, not just known indicators of compromise (IOCs), due to the adaptive nature of Iranian TTPs,” Knehr explained.
Bort emphasized that many Iranian campaigns begin with phishing and target outdated, internet-connected devices used for remote access in industrial environments. “Asset owners should share phishing campaigns as they’re identified, making it harder for Iranian attackers to reuse them and forcing continual reinvestment,” he said. “They should also increase monitoring during off-hours — which coincide with Iran’s business day — especially on services that allow remote access.”
While Iran’s capabilities may not match the technical sophistication of Russia or China, their threat is uniquely aggressive. “Iranian APTs are generally less sophisticated but often more aggressive and ideologically driven,” said Randolph. “Where Russia aims to destabilize and China to quietly extract, Iran seeks visible retaliation — especially during moments of escalation.”
Why preparedness remains uneven
Despite years of warnings, many organizations — especially mid-tier and regional infrastructure operators — remain unprepared for sustained nation-state threats.
“Most organizations aren’t fully prepared for this kind of hybrid threat,” said Randolph. “Many still lack segmentation between IT and OT networks, overlooking reputational and disinformation risks. It should no longer be just about patching, but about resilience across domains.”
Rosseini agreed, stressing that legacy systems and lack of proactive investment are widespread problems. “Critical infrastructure often relies on outdated tech and weak security, making it an easy target,” she said. “In cybersecurity, we’re only as strong as our weakest link — and the clock is ticking.”
Bort added that a divide still exists between the “Haves and Have-Nots” in cyber resilience. “Most critical infrastructure operators are in the Have-Not category,” he said, citing limited budgets, old equipment and staff shortages. “An electric coop might only have one IT specialist for everything. When I teach, I joke that industrial control systems are any computer that is at least 20 years old, which is what makes them inherently vulnerable and gives an idea of the cost and lifecycle they are designed for.”
Defensive imperatives in an asymmetric fight
So what more can be done now to strengthen defenses and stay ahead of evolving threats? Experts universally point to fundamentals — patching systems, enforcing multi-factor authentication, segmenting networks — as essential defenses.
“This is a good time for U.S. organizations to review basic cyber hygiene,” Freedman said, “and stay tuned for alerts from CISA, DHS, OSAC and other government entities, which may have specific security recommendations.”
Knehr pointed to CISA’s “Shields Up” initiative, which advises patching high-risk vulnerabilities, enforcing multi-factor authentication (MFA), monitoring remote access, and segmenting IT and OT networks.
“Organizations should also review recovery protocols, validate backup integrity and prepare for destructive scenarios, not just data theft,” he said.
Yet several experts voiced concern about the state of information sharing. “Unfortunately, we are in the middle of transitioning these capabilities from the federal government to the states,” said Bort. “This is not well planned or orchestrated and means we have currently reduced our ability to respond.”
Knehr noted that smaller operators are especially at risk. “Greater automation in threat dissemination, more declassified technical indicators and improved cross-sector collaboration are key,” he said. “Additionally, real-time collaboration platforms — like those piloted under JCDC — need to be scaled and funded long-term to keep pace with state-aligned threats.”
While the scale and intent of Iran’s next move remain uncertain, security leaders would do well to treat this moment as a proving ground for their cyber readiness — not just a geopolitical footnote, sources explain.
“Iran’s retaliation model often pairs physical or digital disruption with perception warfare,” said Randolph. “Defense needs to match that complexity.”
Ultimately, Rosseini summed up the stakes with a stark reminder. “When physical defenses can’t be breached, adversaries will exploit the weakest links,” she said. She invoked “The Art of War” to drive the point home. “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
